RiskIQ: Ticketmaster Hackers Compromised Widely Used Tools

The criminal group behind the recent data breach at certain Ticketmaster websites may have also scooped up payment card and personal details from those using the company's sites in Australia, New Zealand, Turkey and Hungary, according to RiskIQ, which says the group's digital payment card skimmers may also affect as many as 800 other e-commerce sites.

Security company RiskIQ has been tracking Magecart, the criminal group that specializes in digital skimmers, or code designed to swipe information disclosed during e-commerce transactions.

" While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster."—Yonathan Klijnsma, RiskIQ

As part of its Ticketmaster investigation, RiskIQ says it determined that Magecart appears to have compromised several third-party tools used by as many as 800 e-commerce websites. The affected suppliers include PushAssist, Clarity Connect and Annex Cloud, according to RiskIQ.

Magecart, which has been active since 2015, has refined its tactics, RiskIQ says in a blog post. Those include a tactic used by other bad actors: targeting popular third-party software suppliers, which can enable large-scale compromises, says Ross Brewer, managing director for LogRhythm for EMEA.

"Hackers are persistent, clever people who have wised up to the fact that going after the big guys who have an array of sophisticated security tools in place is no easy feat," Brewer says. "Instead, they're redirecting their attention to smaller, third-party suppliers that can act as a gateway to more lucrative targets."

The customers affected were those who purchased or attempted to purchase tickets using company's Ticketmaster International, Ticketmaster U.K., GETMEIN! and TicketWeb websites, it said in an advisory. The compromise occurred between February and June 23. North American customers were not affected.

Tickemaster subsequently disabled Inbenta's software across its websites. It also sent password reset notices to those affected and offered one year of free identity theft monitoring.

Inbenta suggested in a statement that Ticketmaster was at fault. Ibenta says Ticketmaster directly applied a script to its payments page that Inbenta had modified upon the company's request without telling Inbenta.

"Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability," Inbenta said. "The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers."

Sneaky Scripts

But RiskIQ says it has identified malicious code within a different third-party marketing and analytics service used by Ticketmaster. The service is developed by a company called SociaPlus.

"This supplier was also breached by the Magecart actors, and the scripts they served to customers were modified on subdomains specifically set up for Ticketmaster as a customer," RiskIQ says. "We observed instances in December 2017 through January 2018 where the Magecart skimmer was added to one of the SociaPlus scripts and subsequently injected into multiple Ticketmaster websites."

RiskIQ says it found skimming code embedded with SociaPlus's scripts used by Ticketmaster. (Source: RiskIQ)

SociaPlus's scripts no longer appear to contain the malicious code, RiskIQ says, "but we do not know if either Ticketmaster or SociaPlus are aware of this breach or if they've had discourse with each other about it.

Efforts to reach Ticketmaster officials and SociaPlus were not immediately successful.

Goal: Mass Compromise

The Magecart group continues to improve its digital skimmers as well as its targeting, RiskIQ says. It previously went after websites one at a time in order to compromise and plant its skimming code.

"They've figured out that it's easier to compromise third-party suppliers of scripts and add their skimmer," the company writes. "In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.